- Fix gnome_manage_data interface

- Dontaudit sys_ptrace capability for iscsid - Fixes for nagios plugin policy
2010-12-03 17:07:37 +00:00 · 2010-12-03 17:07:37 +00:00 · a4f1f54302
commit a4f1f54302
parent 09460452b6
2 changed files with 96 additions and 27 deletions
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -2520,7 +2520,7 @@ index 00a19e3..46db5ff 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..dd4bd1e 100644
+index f5afe78..df99449 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,7 @@ interface(`gnome_role',`
@ -2533,7 +2533,7 @@ index f5afe78..dd4bd1e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -46,25 +45,300 @@ interface(`gnome_role',`
+@@ -46,25 +45,302 @@ interface(`gnome_role',`
 ##	</summary>
 ## </param>
 #
@ -2797,8 +2797,10 @@ index f5afe78..dd4bd1e 100644
 +interface(`gnome_manage_data',`
 +        gen_require(`
 +                type data_home_t;
+				type gconf_home_t;
 +        ')
 +
+		allow $1 gconf_home_t:dir search_dir_perms;
 +        manage_files_pattern($1, data_home_t, data_home_t)
 +')
 +
@ -2840,7 +2842,7 @@ index f5afe78..dd4bd1e 100644
 	gen_require(`
 		type gconf_etc_t;
 	')
-@@ -76,7 +350,27 @@ template(`gnome_read_gconf_config',`
+@@ -76,7 +352,27 @@ template(`gnome_read_gconf_config',`
 
 #######################################
 ## <summary>
@ -2869,7 +2871,7 @@ index f5afe78..dd4bd1e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -84,37 +378,40 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +380,40 @@ template(`gnome_read_gconf_config',`
 ##	</summary>
 ## </param>
 #
@ -2921,7 +2923,7 @@ index f5afe78..dd4bd1e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -122,12 +419,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +421,13 @@ interface(`gnome_stream_connect_gconf',`
 ##	</summary>
 ## </param>
 #
@ -2938,7 +2940,7 @@ index f5afe78..dd4bd1e 100644
 ')
 
 ########################################
-@@ -151,40 +449,173 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +451,173 @@ interface(`gnome_setattr_config_dirs',`
 
 ########################################
 ## <summary>
@ -26200,7 +26202,7 @@ index 0a0d63c..d02b476 100644
 
 mysql_manage_db_files(mysqld_safe_t)
 diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
-index 8581040..f54b3b8 100644
+index 8581040..cfcdf10 100644
 --- a/policy/modules/services/nagios.if
 +++ b/policy/modules/services/nagios.if
@@ -12,10 +12,8 @@
@ -26215,7 +26217,7 @@ index 8581040..f54b3b8 100644
 	')
 
 	type nagios_$1_plugin_t;
-@@ -26,6 +24,7 @@ template(`nagios_plugin_template',`
+@@ -26,9 +24,11 @@ template(`nagios_plugin_template',`
 	allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
 
 	domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
@ -26223,7 +26225,11 @@ index 8581040..f54b3b8 100644
 
 	# needed by command.cfg
 	domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-@@ -36,6 +35,8 @@ template(`nagios_plugin_template',`
+	allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
+ 
+ 	allow nagios_t nagios_$1_plugin_t:process signal_perms;
+ 
+@@ -36,6 +36,8 @@ template(`nagios_plugin_template',`
 	dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
 	dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
 
@ -26232,7 +26238,7 @@ index 8581040..f54b3b8 100644
 	miscfiles_read_localization(nagios_$1_plugin_t)
 ')
 
-@@ -49,7 +50,6 @@ template(`nagios_plugin_template',`
+@@ -49,7 +51,6 @@ template(`nagios_plugin_template',`
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
@ -26240,7 +26246,7 @@ index 8581040..f54b3b8 100644
 #
 interface(`nagios_dontaudit_rw_pipes',`
 	gen_require(`
-@@ -159,6 +159,26 @@ interface(`nagios_read_tmp_files',`
+@@ -159,6 +160,26 @@ interface(`nagios_read_tmp_files',`
 
 ########################################
 ## <summary>
@ -26267,7 +26273,7 @@ index 8581040..f54b3b8 100644
 ##	Execute the nagios NRPE with
 ##	a domain transition.
 ## </summary>
-@@ -195,11 +215,9 @@ interface(`nagios_domtrans_nrpe',`
+@@ -195,11 +216,9 @@ interface(`nagios_domtrans_nrpe',`
 #
 interface(`nagios_admin',`
 	gen_require(`
@ -26283,7 +26289,7 @@ index 8581040..f54b3b8 100644
 
 	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..433417a 100644
+index da5b33d..3ce90f7 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@ -26354,15 +26360,17 @@ index da5b33d..433417a 100644
 ')
 
 ######################################
-@@ -310,6 +310,7 @@ optional_policy(`
+@@ -310,6 +310,9 @@ optional_policy(`
 # needed by ioctl()
 allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
 
+kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
+
 +files_getattr_all_dirs(nagios_checkdisk_plugin_t)
 files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
 
 fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +324,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,7 +326,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
 
 allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
 allow nagios_services_plugin_t self:process { signal sigkill };
@ -26370,7 +26378,7 @@ index da5b33d..433417a 100644
 allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
 allow nagios_services_plugin_t self:udp_socket create_socket_perms;
 
-@@ -340,6 +340,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +342,8 @@ files_read_usr_files(nagios_services_plugin_t)
 
 optional_policy(`
 	netutils_domtrans_ping(nagios_services_plugin_t)
@ -32529,7 +32537,7 @@ index cda37bb..484e552 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
 ')
 diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 8e1ab72..288e6cc 100644
+index 8e1ab72..e6821be 100644
 --- a/policy/modules/services/rpc.te
 +++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@ -32607,15 +32615,17 @@ index 8e1ab72..288e6cc 100644
 ########################################
 #
 # NFSD local policy
-@@ -120,6 +133,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,6 +133,9 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 kernel_read_system_state(nfsd_t)
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
 +kernel_setsched(nfsd_t)
+
+corecmd_exec_shell(nfsd_t)
 
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -148,6 +162,8 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,6 +164,8 @@ storage_raw_read_removable_device(nfsd_t)
 # Read access to public_content_t and public_content_rw_t
 miscfiles_read_public_files(nfsd_t)
 
@ -32624,7 +32634,7 @@ index 8e1ab72..288e6cc 100644
 # Write access to public_content_t and public_content_rw_t
 tunable_policy(`allow_nfsd_anon_write',`
 	miscfiles_manage_public_files(nfsd_t)
-@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',`
 
 allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
 allow gssd_t self:process { getsched setsched };
@ -32633,7 +32643,7 @@ index 8e1ab72..288e6cc 100644
 
 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -218,6 +234,8 @@ tunable_policy(`allow_gssd_read_tmp',`
+@@ -218,6 +236,8 @@ tunable_policy(`allow_gssd_read_tmp',`
 	userdom_list_user_tmp(gssd_t)
 	userdom_read_user_tmp_files(gssd_t)
 	userdom_read_user_tmp_symlinks(gssd_t)
@ -37748,7 +37758,7 @@ index 6f1e3c7..ecfe665 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..4b06508 100644
+index da2601a..6b12229 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -38328,7 +38338,7 @@ index da2601a..4b06508 100644
 ')
 
 ########################################
-@@ -1243,10 +1395,355 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1395,393 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -38395,6 +38405,44 @@ index da2601a..4b06508 100644
 +	')
 +')
 +
+#######################################
+## <summary>
+##  Allow search the xdm_spool files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`xserver_xdm_search_spool',`
+    gen_require(`
+        type xdm_spool_t;
+    ')
+
+    files_search_spool($1)
+    search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+######################################
+## <summary>
+##  Allow read the xdm_spool files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`xserver_xdm_read_spool',`
+    gen_require(`
+        type xdm_spool_t;
+    ')
+
+    files_search_spool($1)
+    read_files_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
 +########################################
 +## <summary>
 +##	Manage the xdm_spool files
@ -42694,10 +42742,26 @@ index 663a47b..ad0b864 100644
 +	allow $1 iscsid_t:sem create_sem_perms;
 +')
 diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index 1d1c399..3ab3a47 100644
+index 1d1c399..67d0dec 100644
 --- a/policy/modules/system/iscsi.te
 +++ b/policy/modules/system/iscsi.te
-@@ -76,6 +76,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
+@@ -31,6 +31,7 @@ files_pid_file(iscsi_var_run_t)
+ #
+ 
+ allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
+dontaudit iscsid_t self:capability { sys_ptrace };
+ allow iscsid_t self:process { setrlimit setsched signal };
+ allow iscsid_t self:fifo_file rw_fifo_file_perms;
+ allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -64,6 +65,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+ 
+ kernel_read_network_state(iscsid_t)
+ kernel_read_system_state(iscsid_t)
+kernel_setsched(iscsid_t)
+ 
+ corenet_all_recvfrom_unlabeled(iscsid_t)
+ corenet_all_recvfrom_netlabel(iscsid_t)
+@@ -76,6 +78,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
 
 dev_rw_sysfs(iscsid_t)
 dev_rw_userio_dev(iscsid_t)
@ -42706,7 +42770,7 @@ index 1d1c399..3ab3a47 100644
 
 domain_use_interactive_fds(iscsid_t)
 domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -91,5 +93,5 @@ logging_send_syslog_msg(iscsid_t)
+@@ -91,5 +95,5 @@ logging_send_syslog_msg(iscsid_t)
 miscfiles_read_localization(iscsid_t)
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.10
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -471,6 +471,11 @@ exit 0
 %endif

 %changelog
+* Fri Dec 3 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-6
+- Fix gnome_manage_data interface
+- Dontaudit sys_ptrace capability for iscsid
+- Fixes for nagios plugin policy
+
 * Thu Dec 1 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-5
 - Fix cron to run ranged when started by init
 - Fix devicekit to use log files